A Look at the New WordPress Brute Force Amplification Attack

Recently, a new brute force attack method for WordPress instances was identified by Sucuri. This latest technique allows attackers to try a large number of WordPress username and password login combinations in a single HTTP request.

The vulnerability can easily be abused by a simple script to try a significant number of username and password combinations with a relatively small number of HTTP requests. The following diagram shows a 4-fold increase in login attempts to HTTP requests, but this can trivially be expanded to a thousand logins.

WordPress XML-RPC Brute Force Amplification Attack

This form of brute force attack is harder to detect, since you won’t necessarily see a flood of requests. Fortunately, all CloudFlare paid customers have the option to enable a Web Application Firewall ruleset to stop this new attack method.

What is XML-RPC?

To understand the vulnerability, it’s important to understand the basics of the XML remote procedure protocol (XML-RPC).

XML-RPC uses XML encoding over HTTP to provide a remote procedure call protocol. It’s commonly used to execute various functions in a WordPress instance for APIs and other automated tasks. Requests that modify, manipulate, or view data using XML-RPC require user credentials with sufficient permissions.

Here is an example that requests a list Continue reading

Before adding solid-state drives, right-size your infrastructure using workload profiling

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

If you’re looking to add Solid-State Drives to your storage environment you want to avoid under-provisioning to ensure performance and scalability, but to meet cost goals and avoid unnecessary spending you need to avoid over-provisioning. Workload profiling can help you achieve the critical balance.

A recent survey of 115 Global 500 companies by GatePoint Research and sponsored by Load DynamiX showed that 65% of storage architects say they are doing some sort of pre-deployment testing before making their investment decision.  Alarmingly, only 36% understand their application workload I/O profiles and performance requirements. They don’t know what workload profiling is and how it can be used to accurately evaluate vendors against the actual applications that will be running over their particular storage infrastructure.

To read this article in full or to leave a comment, please click here

Germany will make telcos share customer data with the police

Even as the European Union attempts to tighten privacy laws, law-enforcement interests have won a battle in Germany: a new law forces communications service providers there to once again make data about their customers' communications available to police.On Friday morning, the German parliament approved a law requiring ISPs and mobile and fixed telecommunications operators to retain communications metadata for up to ten weeks.The country has had an on-again, off-again affair with telecommunications data retention, first introducing a law requiring it in 2008 to comply with a European Union directive.MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords The German Federal Constitutional Court overturned that law in March 2010 after finding it conflicted with Germany's privacy laws, prompting the European Commission to take the country to court in May 2012 to enforce the directive.To read this article in full or to leave a comment, please click here

Six key challenges loom over car communication technology

As car-makers build more tech-savvy autos, their ability to communicate and interact with smart infrastructure to prevent accidents or warn of impending road hazards faces number of challenges that may hinder its deployment.+More on Network World: Car crash prevention technologies face huge challenges+Watchdogs at the Government Accountability Office this week said while the Department of Transportation will over the next five years spend $100 million via its Connected Vehicle pilot program that deploys Vehicle-to-infrastructure (V2I) technologies in real-world settings – many challenges with the technologies remain.To read this article in full or to leave a comment, please click here

Six key challenges loom over car communication technology

As car-makers build more tech-savvy autos, their ability to communicate and interact with smart infrastructure to prevent accidents or warn of impending road hazards faces number of challenges that may hinder its deployment.+More on Network World: Car crash prevention technologies face huge challenges+Watchdogs at the Government Accountability Office this week said while the Department of Transportation will over the next five years spend $100 million via its Connected Vehicle pilot program that deploys Vehicle-to-infrastructure (V2I) technologies in real-world settings – many challenges with the technologies remain.To read this article in full or to leave a comment, please click here

Stuff The Internet Says On Scalability For October 16th, 2015

Hey, it's HighScalability time:


The other world beauty of the world's largest underground Neutrino Detector. Yes, this is a real thing.

If you like Stuff The Internet Says On Scalability then please consider supporting me on Patreon.
  • 170,000: depression era photos; $465m: amount lost due to a software bug; 368,778: likes in 4 hours as a reaction to Mark Zuckerberg's post on Reactions; 1.8 billion: pictures uploaded every day; 158: # of families generously volunteering to privately fund US elections.

  • Quotable Quotes:
    • @PreetamJinka: I want to run a 2 TB #golang program with 100 vCPUs on an AWS X1 instance.
    • Richard Stallman: The computer industry is the only industry that is more fashion-driven than women's fashion.
    • The evolution of bottlenecks in the Big Data ecosystem: Seeing all these efforts to bypass the garbage collector, we are entitled to wonder why we use a platform whose main asset is to offer a managed memory, if it is to avoid using it?
    • James Hamilton: Services like Lambda that abstract away servers entirely make it even easier to run alternative instruction set architectures.
    • @adrianfcole: Q: Are we losing money? A: Continue reading

AT&T to ‘lifelong customer:’ Shut up & talk to the lawyers

You don't need an MBA to know that in business, few things are more important than listening to your customers. So it's surprising that AT&T CEO Randall Stephenson, who earned an MBA from the University of Oklahoma, told a customer that AT&T isn't at all interested in his suggestions. Ever. In fact, if you send Stephenson an unsolicited suggestion, you'll get a similar response from his lawyers. Reuters/Kevin Lamarque AT&T CEO Randall StephensonTo read this article in full or to leave a comment, please click here

Musings on Datanauts #9

I listened to episode 9 of the excellent Datanauts podcast with Ethan Banks and Chris Wahl recently.

Great job with this one, guys. I can tell how engaged I am in a podcast by how often I want to interrupt you :)

For this episode, that was lots of times!

Since I couldn't engage during the podcast, I'm going to have a one-sided discussion here, about the topics that grabbed my attention.

RARP?
Chris explained that the 'notify switches' feature of an ESXi vSwitch serves to update the L2 filtering table on upstream physical switches. This is necessary any time a VM moves from one physical link (or host) to another.

Updating the tables in all of the physical switches in the broadcast domain can be accomplished with any frame that meets the following criteria:

  • Sourced from the VM's MAC address
  • Destined for an L2 address that will flood throughout the broadcast domain
  • Specifies an Ethertype that the L2 switches are willing to forward
VMware chose to do it with a RARP frame, probably because it's easy to spoof, and shouldn't hurt anything. What's RARP? It's literally Reverse ARP. Instead of a normal ARP query, which asks: "Who has IP Continue reading

IDG Contributor Network: Make passwords easier, spy agency says

Complex passwords don’t “frustrate hackers,” all they do is make life “harder for users,” Claran Martin, the Director General of Cyber Security at the United Kingdom’s spy agency GCHQ says in a new guidance document published online (PDF). The advice contradicts previous GCHQ guidance that says that system owners should “adopt the approach that complex passwords are ‘stronger.’” GCHQ, or he Government Communications Headquarters, is the British equivalent of the National Security Agency (NSA). Amusingly, both agencies have been exposed recently as conducting widespread surveillance on their respective citizens. The more cynical might think there was secondary motive for this advice.To read this article in full or to leave a comment, please click here

QOTW: Knowledge

Knowledge depends on the direction given to our passions and on our moral habits. To calm our passions is to awaken in ourselves the sense of the universal; to correct ourselves is to bring out the sense of the true.
Sertillanges, The Intellectual Life

LinkedInTwitterGoogle+FacebookPinterest

The post QOTW: Knowledge appeared first on 'net work.

Defining SDN Down

If a WAN product that uses software to control the flow of traffic is an SD-WAN, and a data center than uses software to build a virtual topology is an SD-DC, and a storage product that uses software to emulate traditional hardware storage products is SD storage, and a network where the control plane has been pulled into some sort of controller an SDN, aren’t my profile on LinkedIn, and my twitter username @rtggeek software defined people (SDP)? A related question — if there are already IoT vendors, and the IoT already has a market, can we declare the hype cycle dead and move on with our lives? Or is hype too useful to marketing folks to let it go that easily? One thing we do poorly in the networking world is define things. We’re rather sloppy about the language we use — and it shows.

Back on topic, but still to the point — maybe it’s time to rethink the way we use the phrase software defined. Does SD mean one thing emulating another? Does SD mean centralized control? Does SD mean software controlled? Does SD mean separating the control plane from the data plane? Does SD mean OpenFlow?

Continue reading

AMD suffers another loss at the hands of the PC market

Struggling amidst a continued downturn in the PC industry, AMD reported a wider loss than expected, though beating analysts’ revenue expectations.AMD reported a third quarter 2015 loss of $197 million on revenue of $1.06 billion, blaming lower CPU and GPU sales for the red ink. A year ago, AMD reported a profit of $17 million on revenue of $1.43 billion, a drop of 26 percent in revenue. Analysts surveyed by Thomson Reuters expected AMD to report a loss of 12 cents a share and revenue of $995.87 million for the third quarter.To read this article in full or to leave a comment, please click here

Red Hat acquires Ansible, the open source IT automation company.

The title should come as no surprise, as many have predicted such an acquisition in the past. The similar open source ideologies, the technology fit, the executive team's open source background and the rapid adoption of Ansible in the enterprise certainly draw parallels to the world's leader in open source technology. What was once a prediction is now reality, in just a little more than two years since Ansible, Inc., opened its doors, and we are thrilled!

Ansible made its name in IT automation, and our agile, simple and agent­less model allowed us to reach beyond just configuration management and into application deployment and multi­tier orchestration. This helped to establish a strong lead in DevOps with CI/CD, while latching on to fast growing areas such as cloud, network and container management. Our open source project boomed, becoming one of the most successful projects on GitHub (#1 follower presence in IT automation) with more than 1,200 contributors. Ultimately, this success led to the Ansible project being named as one of 2014's top 10 open source projects, and a place in Gartner's ‘Cool DevOps Vendor’ report in 2015.

Our customer adoption has also rapidly grown since inception, with more than Continue reading

US proposal aims to regulate car privacy, make hacks illegal

A subcommittee of the U.S. House of Representatives has proposed requiring vehicle manufacturers to state their privacy policies, besides providing for civil penalties of up to US$100,000 for the hacking of vehicles.The lawmakers have also proposed that the National Highway Traffic Safety Administration set up an Automotive Cybersecurity Advisory Council to develop cybersecurity best-practices for manufacturers of cars sold in the U.S.The move comes in the wake of the increasing automation of cars, which has raised privacy concerns, and the high-profile hack of a Jeep Cherokee.The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade has released the staff draft ahead of a hearing next week on “Examining Ways to Improve Vehicle and Roadway Safety."To read this article in full or to leave a comment, please click here

DH-1024 in Bitcoin terms

The recent paper on Diffie-Hellman "precomputation" estimates a cost of 45-million core-years. Of course, the NSA wouldn't buy so many computers to do the work, but would instead build ASICs to do the work. The most natural analogy is how Bitcoin works. Bitcoin hashes were originally computed on CPU cores, then moved to graphics co-processors, then FPGAs, then finally ASICs.

The current hashrate of Bitcoin 460,451,594,000 megahashes/second. An Intel x86 core computes about 3-megahashes/second, or 153,483,864,667 CPU cores. Divided this by 45-million core-years for precomputing 1024bit DH, and you get 3410 DH precomputations per year. Thus, we get the following result:
The ASIC power in the current Bitcoin network could do all the necessary precomputations for a Diffie-Hellman 1024 bit pair with 154 minutes worth of work. Or, the precomputation effort is roughly equal to 15 bitcoin blocks, at the current rate.
(Update: I did some math wrong, it's 154 minutes not 23 minutes)

Another way of comparing is by using the website "keylength.com", which places the equivalent effort of cracking 1024 DH with 72 to 80 bits of symmetric crypto. At the current Bitcoin rate, 72 bits of crypto comes out to 15 bitcoin blocks, Continue reading
1 3,138 3,139 3,140 3,141 3,142 3,696